The Denver Zoo Conservation Alliance is minimizing the potential for cybersecurity attacks at the Denver Zoo because it is properly managing its outdated IT infrastructure, according to a new audit from Denver Auditor Timothy M. O’Brien, CPA.

“It’s not often we complete audits where an auditee is doing nearly all the right things. I applaud the zoo and their IT team for establishing and maintaining a culture where IT protections are taken seriously in policy and in practice. They are setting a quality standard that other Denver agencies and IT teams should follow,” Auditor O’Brien said.

Outdated infrastructure in IT equipment and software can pose risks such as weak security, loss of innovation, and wasted productivity. These risks can be reduced by replacing outdated infrastructure or implementing complimentary controls. The audit sought to identify any outdated infrastructure risks at the Denver Zoo.

The Denver audit office found the Denver Zoo Conservation Alliance’s IT team is proactively identifying, reporting, budgeting, and replacing its outdated infrastructure. They are communicating their needs through the zoo’s leaders and to the board of governors who approve the budget and provide sufficient funding to replace outdated infrastructure. This system allows the zoo to efficiently and effectively manage IT risks.

Over  882 pieces of the zoo’s IT equipment was examined and it was discovered that just 13 of them (1.3%) had outdated infrastructure. The zoo’s IT team is aware of these 13 items. They are appropriately risk managing all of them and provided a detailed status of each.

• Two operating systems that are not supported by the vendor are installed on computer equipment that are powered off and ready to be disposed of. Three mobile devices are outside of the five-year replacement period, but there are documented plans to replace the devices.
• Three pieces of network equipment are not supported by a vendor or receiving security updates. However, they are not connected to the network, remote access is disabled, and the equipment is powered off, which reduces the risk of the equipment becoming compromised. The equipment is used for testing and are backups in case active network equipment fails. Five servers have reached their end of life but are powered off and only used as a tertiary — or third in line — disaster recovery backup solution.

For years, the zoo had listed IT equipment purchases in a manual database. It later implemented management software to create an inventory of IT equipment. However, during the audit, the IT team had not yet reconciled the database and the software. This prevented the zoo from monitoring and tracking the equipment using the management software. The audit found 25 pieces of IT equipment recorded in the database that do not have the required software to communicate with the management software.

“With a complete and accurate inventory, the zoo can better manage and identify the IT equipment that may put the zoo at risk for cyberattacks,” Auditor O’Brien said. The Denver Zoo Conservation Alliance agreed with the audit team’s recommendation to reconcile its IT equipment database with IT equipment management software records.

The zoo also agreed with the second recommendation to update its policy by documenting what the zoo defines as outdated infrastructure and the risks the zoo is willing to accept when using outdated infrastructure.

“With just two recommendations, the zoo’s IT team does not have many areas of improvement. Once the inventory and policies are addressed, the zoo will be in an even stronger position to mitigate outdated infrastructure risks,” said Auditor O’Brien.